W3C home > Mailing lists > Public > public-webappsec@w3.org > August 2013

Re: Sub-origins

From: Daniel Veditz <dveditz@mozilla.com>
Date: Thu, 29 Aug 2013 19:23:57 -0700
Message-ID: <5220023D.70509@mozilla.com>
To: "public-webappsec@w3.org" <public-webappsec@w3.org>
On 8/29/2013 2:26 PM, Joel Weinberger wrote:
> Perhaps I'm missing something, though. Brad, is this not a concern of
> yours? How would we expect a legacy browser,  for example, to gracefully
> handle a hash origin or http://foo$bar.com <http://bar.com> origin?

When would a legacy browser see one of those? They won't understand the
suborigin header themselves so they won't create any. The only times I
can think of are if web-served scripts blindly pass such a thing to
postMessage(). Either the legacy browser will barf on the malformed
origin or it simply won't match the plain origin of the target window --
the message isn't going to make it.

Web apps that want to use suborigins will have to know which browsers
support it somehow. Or not use the features that have no graceful
fallback if legacy browsers just do what they've always done.

Create a document.location.suborigin ? Then if it's undefined sites can
know not to use that format. For convenience that value could be the
full serialized origin+suborigin in whatever format we come up with
rather than just the suborigin string which probably isn't interesting
on its own anyway.

-Dan Veditz



Received on Friday, 30 August 2013 02:24:30 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:02 UTC